A little over a week ago in my post on Google Tracking, I remarked that nothing short of strictly enforced GDPR-syle legislation would get Google and the other adtech miscreants to behave. I ended on the cynical note that maybe even then they wouldn’t behave. It turns out that I was right to be cynical.
The Irish Times is reporting that Google has been accused of secretly sending users’ personal data to advertisers. They’re doing this with a new mechanism being called “push pages.” The details are technical and a bit hard to understand but the TL;DR is it allows participants in Google’s real time bidding program to match the user with their own profiles and to share that information with other participants. Google has assured us that neither of those activities would be possible with their new GDPR-compliant protocols.
Johnny Ryan from Brave decided to investigate how Google handled his personal data and ran some tests. What he found was alarming. Google is, in fact, doing both those things. Ryan’s account, which the Irish Times report is based on, has a few more details including a link to his formal complaint to the Irish Data Protection Commission (DPC), an example of a push page, and a sequence diagram showing how the new scheme works.
If the charges are verified by the DPC, Google will undoubted be fined several million Euros. The problem is that they won’t care; the fine will simply be written off as a cost of doing business. If we want to end the scourge of adtech, the only thing that will get it done is putting a few executives in jail. I’m really against the automatic urge (especially in the U.S.) to put people in jail for the slightest infraction but I don’t think anything else will get the adtech industry’s attention. Fines certainly haven’t helped.